Finn Brunton is an assistant professor at the University of Michigan's School of Information.
Jay Jackson/Courtesy Finn Brunton
hide caption

itoggle caption
Jay Jackson/Courtesy Finn Brunton

Finn Brunton is an assistant professor at the University of Michigan's School of Information.

Jay Jackson/Courtesy Finn Brunton

Open up your email on any given morning and you might get two or three notes from friends — and twice as many from people trying to sell you energy pills, offshore real estate or virility enhancers.

And some promise riches: You've just won the Lithuanian National Lottery, which you cannot recall entering, or that a man in Kenya needs your help: "Please, sir, only you can help" to move $20 million through your bank account; all he needs is your routing number.

That's spam. Not the meat-like loaf, but unbidden emails, many of them not even sent by actual people, but robot programs. And their volume is often much greater than the amount of real information people find in their inboxes.

In Spam: A Shadow History of the Internet, Finn Brunton, an assistant professor at the University of Michigan's School of Information, explains how those unwanted emails make their way into our inbox.

Brunton talks about this daily irritation, its origins and ways to avoid online dangers with NPR's Scott Simon.

Interview Highlights

On how a tiny island in the South Pacific become the center for spam

"It's a marvelous story. Pitcairn Island, which is the least populated jurisdiction in the world, fascinated me because I was familiar with it only as an extremely minor historical event. It's where the Bounty mutineers went when they needed to find an extremely remote place to hide. And I was shocked to learn that, per capita, Pitcairn Island was the world's No. 1 source of spam. I was just wondering ... how is this possible? What has happened is one of the computers on the island has been taken over by a malware program — so this island with 45 or 50 people is broadcasting spam without anyone consciously intending it."

On how a Monty Python sketch became the name for all that unwanted email

"The old rule of thumb in media history was that the first private use for any new major communications technology is pornography. But somewhere, cheek by jowl with that, is humor. One of my favorite details about the history of the telegraph is how quickly an incredible subculture of jokes and gags and pranks and references began to proliferate among the telegraph boys who were actually managing the equipment.

"But indeed, in the case of the Internet, from very early on when it was just these early, often somewhat ragged or haphazard networks between computers mostly in academic settings, the graduate students who were using these machines — as soon as they were not required to use them for some professional purpose, as soon as they had an off hour to kill in the basement — started using them to replay old Monty Python routines — getting back to jokes.

"And of course one of the most famous Monty Python routines is the sort of spam chorus that the Vikings deliver in the made-up Green Midget Café in that sketch where that couple is trying to order something from the menu and everything has spam in it. So it sort of starts off as a joke, but the term very quickly becomes the universal term for anyone who's doing that kind of annoying, jokey, time-wasting behavior on these very early computer networks."

On how spam can become far more than just a nuisance

"When you get a spam message, sometimes it'll have an attachment and ... it will be a message from a friend. And it'll say, 'Oh hey, could you take a look at this?' And then you open it and it doesn't seem to do anything; it's just a bunch of weird symbols or it fails to open. And you assume something went wrong, I'll just delete this and carry on with my day.

"When you've launched that, an exploit within the structure of the software that you're using has quietly taken over your computer and it is using the computer's broadband connection to quietly, in the background, without your knowledge, begin sending out spam messages following the instructions of a central network called a command and control system .

"So what that means if it costs you nothing to send 100 million messages and only some vanishingly small percentage of a percentage ever get through, well just send 100 million more, you know? And if you can get another 2,000 or 3,000 actually through, you can still make a viable business out of it."

On how spam turns from a business to a criminal enterprise

"You always had spammers who were just crooks. But then you had a lot of people who were moving business models in from the world of, for example, pharmaceutical advertisements in the back pages of weightlifting magazines. The people working now are out and out criminals, and that actually frees them up to potentially make a lot more money than they did before. Because if they can convince you to buy something, it's no longer about actually selling you the pharmaceuticals; it's about taking your credit card information and then using that for identity theft purposes.

"And to be clear, spam email is upwards of 85 to 90 percent of all email sent on any given day. It's just that most of the time we don't see most of it because our filters are pretty good. But it's a tidal wave that's slamming into these walls that we've built day after day after day. And we see the little bit that slops over."

On how you can protect yourself from identity theft online

"I use what's called a password manager in my browser. This is a system [that] will automatically generate very, very long passwords for any new account you need to set up and it will keep track of all of them for you and log you in. Because the major danger here is not that someone will necessarily steal your computer. The major danger is an automatic system that breaks into Gawker's password store [for example] and then begins to systematically search the Internet for other things of yours that it can access using that particular arrangement of email and password. Having a good password manager makes that impossible."

WEB EXTRA: On one more thing you do to guard your important accounts

How To Protect Yourself Online

"For everything of real importance in your life, like your banking information or your personal, central email account, see if they will allow you to use something called two-factor authentication. It's a system in which you simultaneously have your password and then, you also have to have something else — generally a number — that changes over time. And you have to be able to enter that as well. For example, Gmail has allowed this. When you're logging into your Gmail account, you type in your [login] name and your password and then it texts a brief set of digits to your phone. You have to enter those as well. This is important because it means you have to be physically in possession of your phone as well as your password to actually log in, which prevents the whole world of people just trying attacks where they guess every password in the dictionary or guess every password in a certain space."